Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote RSA Timing Attacks Practical

Posted by CowboyNeal on from the all-in-the-timing dept.

David Brumley and Dan Boneh writes "Timing attacks are usually used to attack weak computing devices such as smartcards. We show that timing attacks apply to general software systems. Specifically, we devise a timing attack against OpenSSL. Our experiments show that we can extract private keys from a OpenSSL-based server such as Apache with mod_SSL and stunnel running on a machine in the local network. Our results demonstrate that timing attacks against widely deployed network servers are practical. Subsequently, software should implement defenses against timing attacks. Our paper can be found at Stanford's Applied Crypto Group."

5 of 223 comments (clear)

  1. Personal crypto? by pro-mpd · · Score: 5, Interesting

    OK, so we know now that SSL servers may be vulerable. Can this sort of an attack be used against personal encryption, a la pgp?

  2. Xbox by Anonymous Coward · · Score: 5, Interesting

    Wouldn't this type of attack be feasible on the Xbox instead of trying to factor the key? You even have access to the hardware so very precise timing could be done.

    Just a thought.

  3. Actualyl it IS that bad by Anonymous Coward · · Score: 5, Interesting


    Being further from the server will add noise, but they already compensate for noise by averaging 7 samples (5 would have been sufficient for local use). Over a remote network, you take more samples. (perhaps quite a few)

    It currently takes 2 hours to crack a server.
    If you have a week or so of time on your hands, a realtively unused server (not mail.bigisp.com but admin.bigisp.com), and the asministrator doesn't notice the traffic spike, quite a few sites could be vulnerable.

    Remember, people get upset when crypto can be cracked in terms of *years* and *dollars*. This can crack things in HOURS on a fast pc.

  4. Why hasn't the simple fix reached OpenSSL? by dido · · Score: 5, Interesting

    I believe Paul Kocher first proposed (this is PDF) this attack way, way back in 1995, and as I recall, he even applied it to networked systems. RSA Labs' BSAFE, since version 3.0 has included a "blinding factor" in its RSA implementation that renders this attack ineffective. Reading the original RSA Labs bulletin (also PDF) on this attack shows a very simple fix, and I'm surprised that this hasn't made its way into OpenSSL! Ron Rivest proposed this back in early 1996. What's up?

    --
    Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
  5. Use this attack against X-Box by philthechill · · Score: 5, Interesting

    The paper mentions that things like palladium may also have this kind of problem (unless they implement timing protections of some sort), which leads me to believe the 2048-bit X-Box key could also be attacked this way, and probably much faster since you might be able to attack it right on the box without going over a network.

    But I could be wrong.

    Phil